On the heels of our discussion about "should TLS be mandatory", comes this
article from Adam Langley.
It's worth a read.
Many on this list have advocated that you don't need to secure everything,
just the login pages (common practice with HTTP today). Read this article
and then ask yourself if that is really true.
http://www.imperialviolet.org/2012/07/19/hope9talk.html
Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of
attacks that are only solved if you're all TLS all the time. If someone
has a better solution, let me know; I don't know of one.
Mike